If there is anything to be learned from 2017’s array of massive data breaches, it’s that single-password authentication is no longer enough to warrant security. Deloitte, one of the world’s top accounting firms, learned this the hard way. Last year, the company was hit with a massive hack that compromised private emails as well as confidential information of some its blue-chip clients. Sources told The Guardian that the breach occurred through an administrator’s account, which gave hackers unrestricted access to everything else. The account in question required a single password, with no two-step verification. Read More

The selection of the “right” MFA solution can be tricky. First, because there’s a constant flow of innovation in the authentication industry, resulting in numerous and diverse technologies even for solutions supposedly following a standard. Second, because the applications and environments needing MFA are also very different (cloud vs. onprem, legacy vs. web, ldap vs. radius, SAML, or OIDC, etc.). Lastly because not all solutions have the same objectives or protect against the same risks. Read More

As we should all know by now, 1/ everything is getting connected, the Internet is no longer about computers and servers only but also about billions of objects that once belonged to distinct categories, such as consumer electronics, automotive, medical devices, industrial and infrastructure systems etc. And 2/, security issues are going to be even larger and scarier in the era of the Internet of Things.

This raises a few questions for the cybersecurity industry, such as: Are we ready to address this challenge? Have we developed the right tools yet? The short answer is no. Read More

One of the main new features presented during Apple keynote this September is a face recognition mechanism that will be part of the iPhone X. FaceID, how that mechanism is called, will initially be used as a way to unlock the phone screen, which is also how TouchID was introduced on the iPhone 5s in 2013. Read More

Passwords are prehistory. Passwords are dead. We’re going to end passwords. Sounds familiar? Google probably has millions of results for each of these searches. Yet, for as long as I can remember – since the rise of the World Wide Web at least – passwords have been fingerpointed as the flaw in this otherwise amazingly well engineered system. Read More

It was supposed to be a nice weekend, but for many people working in IT and security organizations, last weekend turned out to be a nightmare. A self-replicating ransomware going by the name of WannaCry hit several hundreds of thousands of computers worldwide, many of them in large organizations – the NHS, Renault, and Telefonica have been mentioned in the news. Every time such an attack makes it to the headlines, the priority for IT and security people is to manage the crisis: contain the spread, eradicate the worm, and resume normal business operations. This can take hours or days (and nights), sometimes longer, but hopefully everything is back to normal before the next one hits.

Multi-factor authentication (MFA) has become so commoditized in the recent years that it’s easy to forget that it’s a service running on servers. And as such, that it can suffer interruptions and hacks. Recognizing this has consequences on how to pick and to use an MFA service.

I attended the Gartner IAM Summit in Vegas this week. Great conference, lots of smart and inspiring people. Multi-Factor Authentication (aka MFA or 2FA or 2-factor…) was a frequent topic of discussion, both in the analysts sessions, who did brilliant projections of the market trends – future, present, and past – and in the Access Manager vendors’ booths.

We use routers to move IP packets across the Internet and toasters to get crispy bagels. There are all kinds of brands, versions, and management features, but overall, routing and toasting each use a single technology. Authentication does not, especially when it comes to multi-factor (MFA or 2FA). Why is that, and is Mobile the platform where authentication will eventually converge? Read More

My awareness on passwords weakness started in 1992 when a college mate published in the university weekly bulletin a list of the students – and probably staff as well, I can’t remember – whose system account password was a noun. This prehistorical hack said it all Read More